From owner-freebsd-questions@freebsd.org Thu Feb 16 07:23:40 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 94CF3CE1D4A for ; Thu, 16 Feb 2017 07:23:40 +0000 (UTC) (envelope-from doug@mail.sermon-archive.info) Received: from mail.sermon-archive.info (sermon-archive.info [71.177.216.148]) by mx1.freebsd.org (Postfix) with ESMTP id 83FD61500 for ; Thu, 16 Feb 2017 07:23:39 +0000 (UTC) (envelope-from doug@mail.sermon-archive.info) Received: from [10.0.1.251] (unknown [10.0.1.251]) by mail.sermon-archive.info (Postfix) with ESMTPSA id E1936114C389; Wed, 15 Feb 2017 23:16:24 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Subject: Re: pf can't get memory for tables From: Doug Hardie In-Reply-To: <201702160612.v1G6CgGp016429@sdf.org> Date: Wed, 15 Feb 2017 23:17:10 -0800 Cc: freebsd-questions@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <201702160612.v1G6CgGp016429@sdf.org> To: Scott Bennett X-Mailer: Apple Mail (2.3259) X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2017 07:23:40 -0000 > On 15 February 2017, at 22:12, Scott Bennett wrote: >=20 > I have a rather long list of IP addresses and address ranges in a = file > loaded by pf for reference by a block rule. After the latest addition = of a > batch of addresses to be blocked, I got an error when I tried to = reload the > file into the table in pf. >=20 > hellas# pfctl -f /ztmp3c/pf/pfbnew -t Crackers -T replace > pfctl: Cannot allocate memory. > hellas#=20 >=20 > What value can I increase to accommodate pf, so that it can reload the = table? > (Stopping and restarting pf also fails with the same error message.) = I expect > to continue adding more addresses into the foreseeable future, so I = have to > be able to continue to satisfy pf's needs. I believe you are hitting the table-entries hard limit. See Peter N M = Hansteen's "The Book of PF" for details. The 3rd edition is available = here: = https://pdf.k0nsl.org/C/Computer%20and%20Internet%20Collection/2015%20Comp= uter%20and%20Internet%20Collection%20part%201/No%20Starch%20Press%20The%20= Book%20of%20PF,%20A%20No-Nonsense%20Guide%20to%20the%20OpenBSD%20Firewall%= 203rd%20(2015).pdf Good luck with that URL. I found it by searching for his name and the = book name. That might be easier than trying to enter that URL. Anyway, this is addressed in Section 10 in the Limits section. The = limits are changeable quite easily, but there are significant concerns = with such. The book addresses those better than I can.